units: harden systemd-report-sign-plain@.service

Apply sandboxing. The plain backend's needs writable StateDirectory and
/dev/urandom for key generation. The service must stay root (the
private key is root-only), but everything else is locked down.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>

diff --git a/units/systemd-report-sign-plain@.service.in b/units/systemd-report-sign-plain@.service.in
index 7778239d78afd2f1395d5256e48db3dc35249a2e..f084b33d9f26c4f1c6b46bf1dfe02a2f14003bfd 100644 (file)
--- a/units/systemd-report-sign-plain@.service.in
+++ b/units/systemd-report-sign-plain@.service.in
@@ -19,3 +19,32 @@ WantsMountsFor=/var/lib/systemd/report.sign.plain
 StateDirectory=systemd/report.sign.plain
 StateDirectoryMode=0700
 ExecStart={{LIBEXECDIR}}/systemd-report-sign-plain
+CapabilityBoundingSet=
+DeviceAllow=
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateIPC=yes
+PrivateNetwork=yes
+PrivateTmp=disconnected
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RuntimeMaxSec=5min
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0077